Page MenuHomePhabricator
Create Task
Maniphest T294256

FileImporter allows imports to cascade protected files when the importer does not have administrator permissions (CVE-2022-28206)
Closed, ResolvedPublic3 Estimated Story PointsSecurity
Actions

Description

Steps to reproduce

  • Protect a page with cascading turned on
  • Transclude a non-existent file onto it
  • Import a file to the title which is now cascade protected, using an account without administrator permissions

The import completes successfully, bypassing the cascade protection and creating the page. Similar to T262628.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Check edit rights before uploadingmediawiki/extensions/FileImportermaster+17 -9
Customize query in gerrit

Related Objects

Event Timeline

Dylsss created this task.Oct 25 2021, 2:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 25 2021, 2:59 PM
Dylsss renamed this task from FileImporter allows imports to cascade protected files when the importer does not have administartor permissions to FileImporter allows imports to cascade protected files when the importer does not have administrator permissions.Oct 25 2021, 3:00 PM
Dylsss added a project: Move-Files-To-Commons.
Dylsss updated the task description. (Show Details)Oct 25 2021, 3:03 PM
Reedy added projects: WMDE-TechWish, WMDE-TechWish-Maintenance.Oct 25 2021, 3:48 PM
Reedy moved this task from Incoming to Watching on the Security-Team board.
Dylsss added a comment.Jan 6 2022, 11:28 PM

The issue appears to be that FileImporter only does checks for create and upload, but not edit. This results in no errors being returned because the PermissionManager::checkCascadingSourcesRestrictions check directly compares the given action to the cascading action restriction (which is only ever edit), this means any checks for actions other than edit will never return errors for cascading restrictions. It looks like the abandoned patch https://gerrit.wikimedia.org/r/c/mediawiki/core/+/233207 would have addressed this bug.

thiemowmde added subscribers: Lena_WMDE, lilients_WMDE, awight and 3 others.Jan 7 2022, 8:55 AM
thiemowmde moved this task from Incoming to Priority backlog on the WMDE-TechWish-Maintenance board.Jan 18 2022, 1:34 PM
WMDE-Fisch claimed this task.Jan 25 2022, 2:37 PM
WMDE-Fisch added a project: WMDE-TechWish-Sprint-2022-01-19.
WMDE-Fisch moved this task from Sprint Backlog to Doing on the WMDE-TechWish-Sprint-2022-01-19 board.
WMDE-Fisch added a comment.Jan 25 2022, 4:07 PM
In T294256#7603240, @Dylsss wrote:

The issue appears to be that FileImporter only does checks for create and upload, but not edit. This results in no errors being returned because the PermissionManager::checkCascadingSourcesRestrictions check directly compares the given action to the cascading action restriction (which is only ever edit), this means any checks for actions other than edit will never return errors for cascading restrictions. It looks like the abandoned patch https://gerrit.wikimedia.org/r/c/mediawiki/core/+/233207 would have addressed this bug.

I tried to solve the issue by adding a check for edit permissions. But from my local smoke tests it did not seem to work. Maybe I misunderstood the comment, and this would only work anyways with the other patch mentioned. 🤔
See https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FileImporter/+/757022

What I did to test:

  • Transcluded a non existing file page ( {{File:Test.jpg}} ) into a page ( Main Page ) on my wiki.
  • Used and admin account to cascade protect Main Page and only allow changes for admins.
  • Used a normal user account with the FileImporter to import a random .jpg file and use the name Test for the import.
  • There should be an error on the import preview page but there's nothing.

I also tried to just upload a file with that name as a normal user and that also worked although the file page should be cascade protected.

WMDE-Fisch removed WMDE-Fisch as the assignee of this task.Jan 25 2022, 4:08 PM
WMDE-Fisch moved this task from Doing to Sprint Backlog on the WMDE-TechWish-Sprint-2022-01-19 board.
WMDE-Fisch moved this task from Priority backlog to In progress on the WMDE-TechWish-Maintenance board.
Dylsss added a comment.Jan 25 2022, 8:56 PM

@WMDE-Fisch Your patch works locally for me?

Screenshot 2022-01-25 205553.jpg (934×1 px, 112 KB)

WMDE-Fisch moved this task from Sprint Backlog to Tech Review on the WMDE-TechWish-Sprint-2022-01-19 board.Jan 26 2022, 1:53 PM
WMDE-Fisch added a comment.Jan 28 2022, 3:13 PM
In T294256#7650447, @Dylsss wrote:

@WMDE-Fisch Your patch works locally for me?

Screenshot 2022-01-25 205553.jpg (934×1 px, 112 KB)

Thanks for testing, still have not figured out, why I can not test it locally. We might just merge the patch and test it on the beta cluster before train rollout.

Dylsss added a comment.Jan 28 2022, 7:42 PM

@WMDE-Fisch I looked over your comment again, and I think it's not working because you are transcluding it like {{File:Test.jpg}} instead of [[File:Test.jpg]]. The former doesn't get any cascading protection.

WMDE-Fisch added a comment.Jan 31 2022, 9:18 AM
In T294256#7660456, @Dylsss wrote:

@WMDE-Fisch I looked over your comment again, and I think it's not working because you are transcluding it like {{File:Test.jpg}} instead of [[File:Test.jpg]]. The former doesn't get any cascading protection.

🤦 thanks for looking at it again and the clarification. Now I could confirm it working as well. Nice!

thiemowmde assigned this task to WMDE-Fisch.Jan 31 2022, 9:42 AM
thiemowmde moved this task from Tech Review to Demo on the WMDE-TechWish-Sprint-2022-01-19 board.
WMDE-Fisch set the point value for this task to 3.Jan 31 2022, 1:29 PM
thiemowmde closed this task as Resolved.Feb 1 2022, 9:35 AM
thiemowmde moved this task from Demo to Done on the WMDE-TechWish-Sprint-2022-01-19 board.
sbassett mentioned this in T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2).Feb 1 2022, 3:47 PM
sbassett subscribed.Feb 1 2022, 3:50 PM

Eh, well, I guess this went through gerrit: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FileImporter/+/757022. I'lll track it for the next supplemental release (T297839) and we can make the bug public once wmf.20 is done rolling out this week.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Feb 1 2022, 3:51 PM
sbassett added a project: SecTeam-Processed.
sbassett added a project: Vuln-MissingAuthz.Mar 29 2022, 1:24 AM
sbassett renamed this task from FileImporter allows imports to cascade protected files when the importer does not have administrator permissions to FileImporter allows imports to cascade protected files when the importer does not have administrator permissions (CVE-2022-28206).Mar 30 2022, 7:20 PM
sbassett triaged this task as Low priority.Mar 31 2022, 5:42 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL